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We analyze a protocol which generates secret key from correlations that violate a Bell inequality 
by a sufficient amount, and prove its security against eavesdroppers which are only constrained 
by the fact that any information accessible to them must be compatible with the impossibility 
of arbitrarily fast signaling. We prove unconditional security according to the strongest notion, 
the so called universally-composable security. The no-signaling assumption is imposed at the level 
of the outcome probabihties given the choice of the observable, therefore, the protocol remains 
secure in situations where the honest parties do not have a complete control over their quantum 
apparatuses, or distrust them. The techniques developed are very general and can be applied to other 
Bell inequality-based protocols. In particular, we provide a scheme for estimating Bell-inequality 
violations when the samples are not independent and identically distributed. 



I. INTRODUCTION 

In entanglement-based protocols for quantum key dis- 
tribution (QKD) [1] two honest parties (Alice and Bob) 
can obtain a secure secret key by performing measure- 
ments on shared EPR pairs [2]. They can also certify 
that they have EPR pairs by observing sufficiently strong 
violations of Bell inequalities [3-5] . When the EPR pairs 
are noisy, measurements lead to noisy and partially se- 
cret correlations. In order to obtain perfect secret bits, 
error correction and privacy amplification have to be per- 
formed, with the assistance of local operations and pub- 
lic communication (LOPC) [6]. Before implementing this 
procedure, however, an estimate of the quality of the cor- 
relations needs to be performed. Formulated in a differ- 
ent way, an estimate of the maximal amount of informa- 
tion that an eavesdropper (Eve) has about Alice's and 
Bob's bits has to be performed. This is done by ex- 
ploiting the monogamy of entanglement, which imposes 
trade-offs between the entanglement between Alice and 
Bob, and Eve's correlations with them [7]. 

A way of estimating the degree of entanglement that 
Alice and Bob share is to perform quantum tomography 
[8]. In order to do so, they have to assume that the 
quantum systems they measure live on a state space of a 
particular dimension d (usually two). This assumption. 



though strong, is usually not mentioned in the presen- 
tations of QKD. In particular, it implies that Alice and 
Bob must trust their apparatuses (see [9] for a detailed 
discussion). 

A framework in which one can analyze quantum corre- 
lations without knowledge of the dimension d is to con- 
sider them in the larger set of no-signaling correlations 
[10]. No-signaling correlations are characterized by the 
assumption that no measuring process can be used to send 
information between distant locations. In this framework, 
the origin of the correlations, the kind of system that 
has been measured, and in particular, the dimension d 
of the underlying quantum system, do not matter. It is 
shown in [10] that, if the obtained correlations violate 
some Bell inequality then there is some degree of privacy 
in them — in the sense that secret key is needed to create 
these correlations by LOPC. 

The first protocol proved secure against a no-signaling 
eavesdropper is the BHK-protocol, introduced in [11]. 
However, the security analysis provided was limited, it 
only applies to the noiseless regime and has a vanishing 
secret key rate. In [12] it was shown that the BHK- 
protocol with a positive key rate is secure against indi- 
vidual attacks, even in the noisy regime. In the present 
paper we generalize this result to completely general at- 
tacks. The security definition that we use is the strongest 
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one, the so called universally-composable security. One 
calls a cryptographic primitive (for instance key distri- 
bution) universally composable if it is secure in any ar- 
bitrary context (for instance one-time pad encryption) 
[13, 14]. The secret key rate that we obtain is comparable 
to the one obtained when the eavesdropper is constrained 
by quantum mechanics, and when the devices are fully 
specified and trusted. 

In order to do so, we introduce an exponentially- 
accurate scheme for estimating symmetric properties of 
arbitrary multipartite probability distributions. Also, we 
prove the security of privacy amplification in a similar 
way as in [15]. Our proof has the advantage that can 
accommodate any error-correction scheme. 

The paper is structured in the following way. In Sec- 
tion II we introduce some preliminaries: nonsignaling 
correlations, nonlocality, and their relation to privacy. 
In Section III we describe the protocol, and explain how 
to implement it with quantum devices. In Section IV we 
explain the security criterion. In Section V wc compute 
the secret key rate in a practical scenario. In Section 
VI we provide the complete security proof, distributed in 
several subsections. Section VII contains the conclusions. 



II. PRELIMINARIES 
A. Nonsignaling correlations 

We use upper-case A to denote the random variable 
whose particular outcome is the corresponding lower-case 
a. We use bold letters to denote strings of variables a = 
(oi, . . . , ajv) or random variables A = {Ai, . . . , An)- 

Alice and Bob share N pairs of physical systems, la- 
beled by n € {1, . . . , N}. Alice measures her n*^^ system 
with one of the M observables X„ e {0, 1, . . . , M - 1}, 
obtaining the outcome An G {0,1}. Analogously, Bob 
measures his n^^ system with one of the (M -I- 1) ob- 
servables Yn & {0,1,..., M} and obtains the outcome 
Bn e {0,1}. The chosen observables and their corre- 
sponding outcomes for the pairs of systems are repre- 
sented by the random variables A, B, X, Y, which are 
correlated according to the joint conditional probability 
distribution Pa,b|x,y- The number fA,B|x,Y(a, b,x, y) 
is the probability of obtaining the strings of outcomes 
a, b G {0, 1}''^ when measuring x S {0, . . . , M — 1}^ and 
y G {0, . . . , M}^ . The only assumption about this dis- 
tribution is the following. 

The no-signaling assumption: The choice of observ- 
able for one system cannot modify the marginal distribu- 
tion for the rest of systems. 

More formally, we impose the following condition among 
any two sets of subsystems with input Ii , I2 and output 



Oi, O2: 

^P0i,02\Ii,l2{0l,02,il,i2) = ^Poi,O2\Ii,l2{0l,02,il,i2) 

02 02 

for all ?'2. ?'2. oi, ii. Although the two sets of subsystems 
are arbitrary, the above constrains turn out to be equiv- 
alent to the ones where (02,-^2) corresponds to a sin- 
gle subsystem {An,Xn) or {Bn,Yn)- It is important to 
note that if these equalities were not satisfied, arbitrar- 
ily fast signaling between separated subsystems could be 
achieved. Also, if not for this assumption, the notion of 
subsystem would have no sense. General properties for 
nonsignaling correlations are shown in [10]. 

In the cryptographic scenario one assumes that the 
only information accessible to Eve (apart from the pub- 
lic messages exchanged by Alice and Bob) is the outcome 
E obtained when measuring a physical system with an 
observable Z. Without loss of generality we assume that 
Eve has only one system. The sole assumption that we 
use in the security proof is that the global (2A''-|-l)-partite 
distribution -Pa,b,£;|x,y,z is a nonsignaling one. Apart 
from this, this distribution is completely arbitrary. 

It is important to stress that systems inside Alice's 
laboratory must not signal each other, and the same for 
Bob. This may be quite difficult to implement in practice, 
but it is, in principle, possible. 

B. Nonlocality and privacy 

A bipartite distribution Pa,b\x,y is said to be local if 
it can be written as 

Ptskr = E ^^(^) Pa\x,v{v) Pb\y,v{v) - (1) 

V 

Local distributions can be generated by shared random- 
ness (denoted V above) between the parties, plus local 
operations. A distribution Pa.b\x,y which cannot be 
written as (1) is said to be nonlocal. 

By definition, Bell inequalities [3-5] are satisfied by 
all local distributions (1). In this paper, we concentrate 
on the Braunstein-Caves (BC) Bell inequality [5]. For 
any distribution Pa,b\x,y with A,Bg {0, 1} and X,Y G 
{0, . . . , M — 1}, let Px,Y be uniform on the set 

{{x, y) : y = xoTy = x + l mod M} , (2) 

and define the random variable 

B[A,B,X,Y] = ^ + M{A®B®l{X = M~1}1{Y = 0}) 

(3) 

where the indicator function is defined as /{true} = 1, 
/{false} = 0. The BC-inequality for M observables [5] 
can be written as 

{B)>1. (4) 
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The bipartite distribution Px.y can be generated be- 
tween two noncomniunicating parties in the following 
way: (i) X, Y are independently generated with uniform 
distribution over {0, . . . ,M — 1}, (ii) after the measure- 
ments, once communication is allowed, the two parties 
post-select the evens where {X,Y) is in the set (2). As 
mentioned above, any local distribution (1) satisfies (4). 
The BC-inequality for M = 2 is equivalent to the CHSH- 
inequality [4] 



{A®B®I{X = 1}I{Y = 0}) > 



1 

4 ' 



(5) 



where here, the random variables X, Y are independent 
and uniform on {0, 1}. 

Suppose that Eve is correlated to Alice through the 
global distribution Pa,b,e\x,y,z- If Alice measures X = 
0, we can quantify the knowledge that Eve has about A 
with the (optimal) correct-guessing probability 

Vguessi^lE) = maxy^maxPA,E\x,z{a,e,0,z) . (6) 



If 'Pguess(^l-E') = 1 then Eve knows A with certainty. 
If 'PguessC^I-^') = 1/2 then Eve is completely ignorant 
about the value of A. In this paper it is shown that the 
knowledge that Eve has about A can be upper-bounded 
by the amount of nonlocality that Alice and Bob share 



Pgucss(^|i?) < {B) 



(7) 



If the marginal for the honest parties Pa,b\x,y violates 
the BC-inequality (4), then according to (7), the proba- 
bility that Eve guesses correctly is smaller than one. This 
is the reason why the Bell inequality (4) is unconven- 
tionally written as a lower bound: the more nonlocality 
the honest parties share, the lower (S) is, and the less 
knowledge Eve has (7). This is one manifestation of the 
monogamy of nonlocal correlations [10]. 



III. THE PROTOCOL 




FIG. 1: Location in tlie equator of the Bloch sphere of the 
observables for M = 4. 



They perform the measurements in the following orthog- 
onal basis. The observable x e {0,...,M — 1} for Alice 
is 

|0)Te*'*|l), (9) 
the observable y e {0, . . . , M — 1} for Bob is 

|0)Te-^-^|l) , (10) 
and the observable y = M for Bob is 

|0)T|1), (11) 

the same as Alice's a; = 0. In the Bloch sphere, these 

observables correspond to the directions represented in 
FIG. 1. The observables x,y S {0, . . . , M — 1} are the 
ones used to obtain large violations of the BC-inequality 
[5]. For M = 2, the settings (9, 10) are the ones which 
maximize the violation of the CHSH-inequality [4] for the 
state (8). The observables x = Q,y — M maximize the 
correlation between Alice and Bob, and hence, are used 
to generate the raw key. 



A. Implementation with quantum devices 

Here we explain how to implement the protocol with 
quantum-mechanical devices. This is not necessary for 
defining the protocol, or prove its security. However it 
helps to understand the reasons behind its particular de- 
sign. 

Suppose Alice and Bob share many copies of the noisy 
EPR state 

p = p$+(l-p)^, (8) 

where < p < 1 is the purity, $ is the projector onto 
1 00) -|- 1 11), and I the four-dimensional identity matrix. 



B. Description of the protocol 

Recall that for each value of M we have a different 
protocol. 

1. Distribution and measurements. Alice and Bob 
are given pairs of systems. Alice generates the ran- 
dom bits I = {Ii, . . . ,In) independently and with identi- 
cal distribution: P/(0) = 1 — S,Pj(l) = 5, for a small 
5 > 0. Analogously, Bob generates the random bits 
J = {Ji, . . . , Jn) independently and with identical dis- 
tribution Pj = Pj . Pairs such that /„ = J„ = are used 
to generate the raw key, and pairs such that = Jn = ^ 
are used to estimate how much nonlocality Alice and Bob 
share. For each n G {1, . . . , iV}, if /„ = Alice measures 
her n*'^ system with Xn = 0, if = 1 she measures it 
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with Xn chosen uniformly on {0, . . . , M — 1}, if J„ = 
Bob measures his n**^ system with 1^ = M, if J„ = 1 he 
measures it with Yn chosen uniformly on{0,...,M— 1}. 

2. Estimation of nonlocality. They publish I, J and 
for the pairs n such that In = Jn = ^ they publish the 
outcomes (A„, i?„, X„, y„). The subset of those pairs 
such that 



Yn =Xn or Yn=Xn + l mod M 



(12) 



is denoted by Afo- With those pairs they compute the 
average value for the BC-inequality 



Be 



(13) 



where S„ = B[An,Bn,Xn,Yn] is defined in (3). The 
number of estimated systems is A^e = 1-^41 ~ ^N5^/M 
with high probability. Here and in the rest of the paper 
the symbol ~ denotes equality up to subleading terms. 
As we will see, the asymptotic efficiency of the protocol 
does not depend on the subleading terms. The outcomes 
of the systems with In — Jn — 0, which have not been 
published, are denoted by Ar, S^- These are the two ver- 
sions of the raw key, and we denote their length by A^r- 

3. Error correction. Alice publishes bits of infor- 
mation about the raw key C = /(A^), which Bob uses in 

order to correct the errors in his raw key: Br ^ BJ. w Af. 
Any error-correction method can be inserted here, as long 
as the probability that B^ ^ vanishes as N grows. 

4. Privacy amplification. Alice generates and pub- 
lishes the two-universal random function G : {0, 1}^' — > 
{0, 1}''^= (see Definition 8 or [18]) with output length 



TV, «iV,21og2 



V2B, 



(14) 



'est 



(see Definition 8). Alice and Bob respectively compute 
G(Ar) and G(B^), which constitute their corresponding 
versions of the final secret key. 



All the published information which is potentially cor- 
related to the secret key K = G{A^) is: 

1. the messages that the honest parties publish in or- 
der to estimate Best) denoted D, 

2. Alice's message in the error correction step C = 
/(A.), 

3. the function G. 



In this context we define an ideal secret key as 

Piideal D 'O 

K,C,E,D,G\Z — ^U^C,E,D,G\Z 



(15) 



where U is uniform on {0,1}^=. The actual secret key 
generated by the protocol is not shown to be an ideal 
key. Instead we demand the following 

Security definition: the actual secret key must be in- 
distinguishable from an ideal secret key. 

This has to be understood in the strongest sense, where 
joint measurements on all systems involved in Pk,c,e,d\z 
are allowed. In other words, even if Alice and Eve bring 
their systems together and cooperate for discriminating 
between the actual and the ideal distributions, this task 
is impossible. Because processing information does not 
make two states more distinguishable, in any context 
where the ideal key is secure the actual key is secure 
too. In Theorem 11 it is shown that 



X] ^f'^X] \PK,c,E,G\zik,c,e,g,z) - 

k,c,g e 

-2-''^Pc,E,G\z{c,e,g,z) ' "^""^ 



< V2 



(16) 



holds with probability larger than 1 — 3Ne~^^^^'^^ ^ . 
This ensures that the actual and the ideal keys are in- 
distinguishable (see discussion in [15]). Recall that z 
parametrizes all possible observables that can be mea- 
sured in Eve's system. 



IV. UNIVERSALLY-COMPOSABLE SECURITY 



EFFICIENCY OF THE PROTOCOL 



We consider the strongest notion of security [13-15], 
where the eavesdropper is totally unconstrained (apart 
from no-signaling). In particular, she can use nonclassi- 
cal systems to store information for an indefinitely long 
time, and measure them with observables depending on 
the messages published during the protocol. But even 
more than this. It is usually the case that the product of 
a key distribution protocol, the secret key, is used as an 
ingredient for other protocols. If messages are published 
during this concatenated protocols. Eve could wait, and 
choose the observable depending on these later messages. 
We demand that the security of any task which uses our 
key distribution protocol as a subroutine is not compro- 
mised by the fact that Eve can wait indefinitely for mea- 
suring her systems. 



The efficiency of a key distribution scheme is quantified 
by the asymptotic secret key rate. This is defined as the 
ratio Ns/N in the limit A'' oo, where Ng is the number 
of perfect secret bits obtained and A'' is the number of 
pairs of systems consumed. The number S, defined in the 
first step of the protocol, is a free parameter. Choosing 
S = N~^/^ gives A^e ~ 2\/]V /M, which ensures security 
(16) as the number of systems consumed grows (A^ — » 
00 ). Bob's errors can be corrected if the bit string C = 
/(Ar) has length 

« N, h{w) , (17) 
where h is the binary Shannon entropy 

h{w) = —w\og2 w — {1 — w) log2(l — w) , (18) 
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FIG. 2: The secret key rate is plotted versus p. The thin 
lines correspond to the rates for M — 3,4,6,11,100. One 
can identify the curves by noting that for p = 1 the rate is 
monotonically increasing with M. The thick line corresponds 
to the rate optimized over M at each value of p. 



and w is the relative frequency of errors (-B„ 7^ An). This 
gives an asymptotic secret key rate of 



hm — ^ = 



21og2 



1 



V2 6e 



h{w) 



(19) 



Let us apply this rate formula to the correlations ob- 
tained when measuring the state (8) with the observables 
(9), (10), (11). For large N , the estimated information 
tends to 



Best = M \ p sin^ 



4M 



l-p 



w 



l-p 



(20) 
(21) 



with high probability. Substituting this into (19) gives 
the rates plotted in FIG. 2. The rate for M — 2 is zero, 
hence we do not provide a security proof for the CHSH- 
protocol [9]. For M — 3 the rate is non-zero at high p, 
but quite small. For M — 6 the protocol tolerates the 
maximum level of noise (pmin = .972). Each amount of 
noise p has an optimal number of observables M which 
maximizes the rate. In the noiseless limit p ^ 1 the 
optimal M tends to infinite M ^ 00. 



VI. SECURITY PROOF 

A. Properties of symmetric distributions 

The results derived in this subsection are relevant on 
their own. They provide tools for estimating properties 
of symmetric distributions without resorting to any de 
Finetti-like theorem. We use calligraphic letter V to de- 
note the alphabet of values for the corresponding random 
variable V. that is v gV. 



Definition 1 Given a string v = (wi, . . . ,vn) € V 
define its corresponding frequency q — freq(v) ( 



N 



q{v) 



times V appears in v 
TV 



(22) 



This function is naturally extended to sets Q 
and random variables Q — freq(V). 



freq(V^) 



For any v, the frequency q = freq(v) is a probabil- 
ity distribution for the random variable V, but it has 
the specific feature that it only takes values on the set 
{■^ : fc = 0, . . . , N}. Q is the set of all possible frequen- 



cies, whose cardinality can be bounded as 

\Q\ < (A^ + 1)1^1-^ . 



(23) 



For what follows, it is convenient to define a particu- 
lar kind of probability distributions for V: the distribu- 
tion with well-defined frequency q £ Q, denoted Py\q, is 
the uniform distribution over all strings v S such 
that freq(v) = q. Another important kind of symmetric 
distributions are the i.i.d. distributions ^ representing in- 
dependent and identically-distributed random variables 
Vi^...^Vn- a distribution Pv is i.i.d. if there exists a 
single-copy distribution Py such that P^/ = (Py)**^. If 
Pv{v) < 1 for all V, then the i.i.d. distribution [Pv]®^ 
has not a well-defined frequency. Hence, not all symmet- 
ric distributions have a well-defined frequency. However, 
any symmetric distribution P^™ can be written as a mix- 
ture of distributions with well-defined frequency. 



psym 



Y.PQ{q)P^r 



(24) 



where Q — freq(V). These two equalities establish a one- 
to-one correspondence between Q and V, for symmetric 
distributions. In the following lemma we show that, in 
a sense, general symmetric distributions are similar to 
i.i.d. distributions. This result is motivated by the ideas 
presented in [16]. 

Lemma 2 // there is an event £ C and e > 
such that for any (single-copy) distribution Py the bound 
(Py)^^(£) < e holds, then for any symmetric distribu- 
tion P^™ we have 



Pv''"(^)<e|2| 



(25) 



Proof Let us first prove (25) for distributions with well- 
defined frequency, that is 



Pv|,(f) <e|Q|, VgeQ 



(26) 



For any € Q we can apply the premise of the 
lemma: {q')®'^(£) < e. Using the decomposition (24), 
we know that there is a random variable Q' such that 



E,GS^Q'(9) A^k = i^T^^ and then 

5]PQ,((7)Pv|,(f)<6 
gee 



(27) 
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In Lemma 3 it is shown that the distribution Pqi (q) 
reaches the maximum at q = q' , which imphes PQi{q') > 
1/\Q\. Then 

Pv|«'(f) < \Q\PQ'{q')P^r\,>i£) < \Q\e, 

where the last inequahty fohows from (27). Finally, we 
prove (25) by applying the bound (26) to each term in 
(24). □ 

Lemma 3 Let the probability distribution Py take values 
on the set {jf : k = 0, . . . , N}, and H V = (Vi, . . . , Vat) 
be distributed according to (Py)®^. Then the probability 
distribution Pq for Q = freq(V) takes its maximum at 
Q = Pv , that is, 



PQ{Pv)=mao,PQ{q) . 



(28) 



Proof We show that for any q E Q with q ^ Py there 
exists q' £ Q such that Pgiq') > Pq{(i)- Let thus g e Q 
be fixed such that q^ Py- We call the support of q: the 
set of values v such that q{v) > 0. If the support of q 
is not contained in the support of Py then PQ{q) = 0. 
We can thus without loss of generality assume that the 
alphabet of V ^ denoted V, is the support of Py, that is, 
Py{v) > for all V E V. For any v E V define 

d{v) = q{v) - Py{v) . 

Furthermore, let Vmin and Vmax be defined by 

d(v^in) = min„ d(v) 
c?(fmax) = max^ d{v) 

Because q ^ Py and the assumption of the lemma, 
d{vniin) < —l/N and (i(t'max) > Let us define 

g' e Q as 



q'{v) 



q(v) + iiv = Vmin 

q{v) - jj: if W = Umax 

q{v) otherwise. 



Prom the two inequalities above we have 



q'iVmaK) > Py(^^max) 



(29) 



Using the identity 



PQiQ) 



we find 



PqW) Pv{VmiT.){q'{Vma^) + jf) ^ Py(?^min) g'(Wmax) 



> 



Pqiq) Py(Wmax)g'(^^min) Py(Wmax) q' {Vmin) 

(note that the terms in the denominator cannot be zero) . 
By (29), the right-hand side cannot be smaller than 1, 
which concludes the proof. □ 



Lemma 4 (Bernstein's inequality) IfVi,...,VN are 

i.i.d. random variables then 

prob{ IVi + • • • + Vjv - N{V) I > iOs/{V^)N^ < 2 e--^'/^ 

where {V) and {V'^) are the first and second moment, and 
oj>0. 

Lemma 5 Let Vi, . . . ,Vn be symmetrically- distributed 
random variables over the finite alphabet V, and = 
max{|i;|;u € V}. Let Ni,N2 be positive integers such 
that Ni + N2 = N. The random variable 



N, 



1 ^ 



(30) 



n=JVi + l 



satisfies 



prob|(yi ■■■Vn,)< (Kst + N^^/^Y' 
> l-2|Q|exp 



VN2 

Avl 



(31) 



Proof Let us first show (31) for Vi, . . . , V^r being i.i.d. In 
this case 



(32) 



Also, one can apply Bernstein's inequality (Lemma 4) to 
the sum (30) as 



probjl/est < {V) - iVa"'^^} < 2exp(^- 



/iV2 



with LU = N^^^iV^)-^^"^. This, equation (32), and in- 
equality {V^) < v"^ imply 

probj (Vi • • • Vn, ) > (Kst + iVa"'^^) | 

< 2exp -— ^ 

Lemma 2 states that if the above holds for any i.i.d. dis- 
tribution, the following holds for any symmetric distri- 
bution 

probj (Fi • • • Vn, ) > (l4st + ^2"'^') I 

< 2|Q|exp( 



VN2 
4vl 



From here, inequality (31) is immediate. 



□ 



B. Properties of nonsignlaing distributions 

Let us introduce some notation. We represent single- 
pair distributions Pa,b\x,y as vectors with components 
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arranged in the following way 



A,B\X,Y 



Define the vectors 



(33) 



P(0,0|0,0) P(0, i|o,o) 
P(1,0|0,0) P(1,1|0,0) 




P(0, 0|0, M-1) 








P(0,0|M-1,0) 




P(0,0|M-1,M-1) 



Define the following two vectors (which are not probabil- 
ity distributions) 



4M 



1 1 
1 1 


1 1 
1 1 








1 1 
1 1 












1 1 
1 1 


1 1 
1 1 






1 1 
1 1 



(34) 



1 
-1 


1 
-1 








-1 

1 












1 

-1 


1 
-1 






-1 

1 



(35) 



where empty boxes have to be understood as having zeros 

(36) 
















and ellipsis between two identical boxes have to be un- 
derstood as an arbitrarily large sequence of identical 

boxes. From now on, the absolute value of a vector means 
component-wise absolute value. For example 



W = - 



1 

1 


1 

1 








1 

1 












1 

1 


1 
1 






1 

1 



Also, an inequality between two vectors means 

components- wise inequality "<". For example v ^ 



f3a 



M+(-l)V, 



(37) 

(38) 



One can check that the Braunstein-Caves Bell inequality, 
defined in (3), can be written as 



(B) = /? • Pa,b\x,y ■ 



(39) 



Lemma 6 If -Pa,b|x,y is an arbitrary 2N-partite 
nonsignaling distribution then for any a 



J'A|x(a, 0) = Pa^j ■ Pa,b|x,y , (40) 

where = (0, . ..,0). 

Proof: Let us first consider the boimd (40) for one 
pair of systems (A^ = 1). The no-signaling constraint 
Pa\x,y{^: 0, 0) = Pa\x,y{0, 0, 1) can also be expressed as 
the scalar product 



-1 -1 


1 1 































Pa,b\x,y = 



and the no-signaling constraint -Pb|js:,v'(0, 0, 0) 
Pb\x,y{0, M — 1, 0) can be expressed as 



-1 
-1 
























1 
1 









• Pa,b\x,y — • 



The remaining no-signaling constraints can be written 
in an analogous fashion. A linear combination of those 

equalities gives 



1 1 
1 1 


1 1 
1 1 








1 1 
1 1 












1 1 
1 1 


T_ r_ 






1 1 
1 1 



■Pa,b\x,y=0, (41) 
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where T_ = 1 — 2M . If Pa.b\x,y is a nonsignaling distri- 
bution, the following equalities hold. 



Pa\xM = 



1 1 

































Pa,b\x,y 



1 1 


1 

-1 








1 

1 























■p 



A,B\X,Y 



1 

-1 


1 

-1 








-1 

1 












1 


2 1 
1 






-1 

1 



•p. 



A,B\X,Y 



The second and third equalities follow by adding linear 
combinations of nonsignaling constraints. The above plus 
(41) times 1/4M gives 

P4|x(0,0) = {h + v)-Pa,b\x,y ■ 
Under the relabeling 

(A-B) ^ (Aei.sei) , 

we have the transformations 

Pa\x{Q,Q) Pa 



-A\xM 

V 



-A|x(l,0) 



which imply PA\x{a,^) = /3a • Pa,b\x,y- The general- 
ization to pairs of systems is straightforward. Each 
no-signaling constraint involves a linear combination of 
the entries of -Pa,b|x,y where all indexes remain constant 
except the ones corresponding to one system (like for in- 
stance aijXi). Hence wc can apply the above argument 
to each of the N pairs separately, obtaining (40). □ 



The following lemma is not necessary for the security 
proof. We include it because it provides insight on the 
trade-off between Bell-inequality violation and correla- 
tion with a third party — the monogamy of nonlocal cor- 
relations. This is explained around equation (7). If, in 
addition to no-signaling, one also assumes the validity of 
quantum theory, the following lemma together with [17] 
is enough to establish the security of privacy amplifica- 
tion, and provides a larger efficiency rate 

Lemma 7 Let -Pa,b,b|x,y,z &e an arbitrary {2N + 1)- 
partite nonsignaling distribution and define 



(42) 



= max PE|z(e, z) maxPA|x,i;,z(a, x, e, z) 

e 

For any x we have 



,(A|^,x)< {Bi---Bn) 



(43) 



where Bn = B[An, Bn, Xn,Yn] and B is defined by (3). 
Proof: Using the no-signaling condition we can write 
-Pa,b|x,y = ^ PE\z{e, z) -PA,B|x,Y,B,z(e, z) . (44) 



Let us show that 



Pa, 



(45) 



for any n and any (ai,...,a„) G {0,1}". First, ex- 
pand each side of this inequality according to defini- 
tions (37) and (38); second, note that TJ^®" ^ = 
and finally, use this to show that each term in 
the left is component-wise bounded by the correspond- 
ing term in the right. Let us show (43) for the case 
x = (0, . . . , 0). In the following chain of equalities and in- 
equalities we use, respectively: the definition of Pgucss in 
(42); Lemma 6; inequality (45) and positivity of the vec- 
tors -PA,B|x,Y,_E,z(e, z); the Hnearity of the scalar prod- 
uct; decomposition (44); and the identity (39). 

"^guess (-^1-^5 ^) 

= max ^ PE\zie, z) maxPA|x,i?,z(a, x, e, z) 

e 

= max^P£;|2(e,2;)max I j • PA,B|x,Y,J5,z(e, ^;) 

< max^PE|z(e,z)/3®^-PA,B|x,Y,B,z(e,z) 

e 

= max/?®^. |^^Pi5|z(e,z)PA,B|x,Y,B,z(e,z)j 



P, 



A,B|X,Y 



{Bi---Bn) 
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In order to extend this inequality to all values of x, con- 
sider the relabeling. For any m G {0, . . . , M — 1} 



X X + mmodM 

Y ^ Y + m mod M 

A A®I{M-m<X<M-l} 

B B®I{M-m<Y<M-l} 



(46) 



This relabeling corresponds to a permutation of the en- 
tries of the vectors (33) such that 

-PA|x(a,0) PA\x{a-,m) . 

This relabeling leaves the vector j3 invariant. Hence, per- 
forming the relabeling to each pair with m = a;„, the 
above inequality for x = (0, . . . , 0) is generalized to any 
value of X. □ 



C. Privacy amplification 

This privacy amplification scheme is similar to the one 
introduced in [15]. It has the advantage that one can hash 
out any information about the raw key C = /(A), that is, 
the function / is arbitrary. Contrary, the scheme intro- 
duced in [15] only works when the function / is generic. 
Our privacy amplification scheme has the disadvantage 
that it needs a random hash function G, in particular a 
two-universal one [18], while the one in [15] works with 
a deterministic hash function. 



Definition 8 A random function G : {0, 1}^ {0, 1}^" 
is called two-universal [18] if for any pair a, a' e {0, 1}^ 
such that a ^ a' we have 



prob{G(a) = G(a')} < 2 



(47) 



Lemma 9 If G : {0, 1}^ — > {0, 1}^= is a two-universal 
random function, then for any subset A C {0,1}-'^ we 
have 



ae.4 



(48) 



where k runs over {0, 1}^=. 



Proof In what follows we take the square of the left-hand 

side of (48); use the convexity of the square function; sum 
over k; partially sum over a, a! ,g; use the two- universality 



of G; and a trivial bound. 

k,g a£.4 

< e2-^=^g(5) e (2^^^^'(a)^.^a') + 1 - 

k.g a,a.'GA 
g a,a'e,4 

= E (E^G(5)^:Sy +2^=1^1 - \A\' 

< {\Af~\A\)+2''^\A\-\Af 

< 2^'\A\ . 



□ 



Theorem 10 Let Pa,'b,e\x,y,z be a {2N + l)-partite 
nonsignaling distribution, let C = f{A) where f : 
{0,1}''^— »{0,1}''^'= is a given function, and let K = g{A) 
where G : {0, 1}^ {0, l}^'' a two-universal random 
function, then 

E °^f^E \PK,c,E,G\x,zik,c, e, g,0, z) - 

k,c,g e 

-2-^=Pc,B,G|x,z(c,e,5,O,0) 



(49) 



where Bn = B[An, Bn, X„, y„] and B is defined in (3). 

Proof For any subset ^C{0,l}^we have the following 
chain of component- wise inequalities. 



E^«(5)|E(^.V)- 2-"=) 
^ E^«(5)(m^"|E('^.V)-2-"=) 

k,g ae.4 

+ iH®M®^-^|E(-ir(^.V)-2 

ae.4 

+ • • • + kl®"^ I E (-l)''^+-+°- (<5g%) - 2-^=) I) 



+ 



ae.4 



+ ... + \yf>N^2' + N^\A\ 



In the first step we use the expansion 

N 



(8)/3a„ 



(50) 



(51) 



\ai-\ \-aN y®N 
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and the component-wise triangular inequality. In the sec- 
ond step we use the following triangular inequality for 
any u e {0, 1}^ 



aeA 

ae.4: a-u=0 mod 2 

+ 1 E (^.V)-2-"=) 

aG-4: a-u— I mod 2 



following establishes (49). 

k,c,g e 
k,c,g e 

= E"^f-E^..eJ E ('5.V)-2-^=)^a|e,. 



k,c,g 



ae/-i(c) 



^ E^^l E (^.V)-2-"=)0/3a. 



n=l 



A,B|X,Y 



Lemma 9, and the concavity of the square-root function < ^/^}+nI+nI+n jj®^ . Pa.,b|x,y 



(54) 



M 



E^^ 



; < 



M 



(52) 



In the above we have respectively used: the definition 
of conditional distribution: equality -Pc = 



ae/-i(c) 



p. 



inequality (53) with A = /^^(c); the component-wise 
inequality (50) together with the fact that the compo- 
nents of the vector Pa.b|x,y a-re positive; and the last 
inequality follows from (52) and Ec l/"Hc)| = 2^. □ 



For the last inequality all terms are summed up by using 
(} = li+\v\. 

In the rest of this proof the following notation is used. 
We denote by PA,B,e|x,Y,z = fA,B,B|x,Y,z(e, 2) the vec- 
tor with entries PA,B,B|x,Y,z(a; b, e, x, y, i;) for all val- 
ues of a, b.x.y and fixed values of e,z. Following this 
notation we can write Pa — Pa (a)- For any subsets 
-4 C {0, 1}^ and any set of coefficients rja we have the 
following chain of equalities and inequalities, 



E^el. 


E VaPa\e,z 








e 


ae.4 


N 






= E^el. 






-PA,B|X,Y,e,z 




e 


ae.4 


N 






< E^el. 


E^- 




• -fA,B|X,Y,e,z 




e 


ae.4 

JV 














■ E ^^\^ -^A,B|X,Y,e,z 




ae.4 


n=l 

N 


e 












■ -Pa,b|x,y ; 




ae.4 


n=l 









(53) 



where we have respectively used: Lemma 6, the Cauchy- 

Schwarz inequality, the linearity of the scalar product, 
and the definition of the conditional distribution. The 



D. Security from estimated information 

According to the previous theorem, the security of 
the secret key can be bounded in terms of the quantity 
(Bi ■ ■ - Bn), which does not depend on E at all! This is 
a particular manifestation of the monogamy of nonlocal 
correlations. In the unconditional-security scenario Al- 
ice and Bob do not know the distribution Pa^.b^ix^.y,) 
hence, how can they estimate (Bi - ■ ■ Bn)'^- The only 
thing they know is the estimated information Sest, de- 
fined in (13). The following result establishes the security 
of the secret key in terms of Best- 

Theorem 11 Let Pa,b,£;|x,y,z ^e. a {2N + l)-partite 

nonsignaling distribution whose marginal Pa,b|x.y 
symmetric with respect to the N 4-component variables 
{A„,Bn,Xn,Yn). Suppose the first systems of Al- 
ice are measured with X = 0, obtaining the outcomes 
Ar = {Ai, . . . , Am,)- Suppose the last N^, = N — 
pairs are measured with (XmYn) chosen uniformly on 
{{x, y) : y = X or y = X + 1 mod M}, and let 



Be 



1 



JV 



E B[An,Bn,Xn,Yn] . 



(55) 



„=JVr-|-l 

Let C = /(Ar) where f : {0, 1}^' ^ {0, l}^'' is a given 

function, and K = g{A,) where G : {0, 1}^' ^ {0, 1}^= 
is a two-universal random function with output size 



7V3 = 7V,21og 



I/V2 



(56) 
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The inequality 



X] \PK,c,E,G\z{k,c,e,g,z) 

k,c,g e 



-2 '''Pc,E,G\z{c,e,g,z) 



< y/2 



(57) 



holds with probability larger than 1 — 3Ne v^(3M) ^ ^ 

Proof Applying Lemma 5 to ;Best and {Bi ■ ■ ■ Bn^) we 
conclude that 



{Bi---Bn^) < (Sest + iV-l/^^ 

holds with probability larger than 



(58) 



1-2{N + 1) exp[-(l + 2M)-'^^/N'^] 
> l-37Vexp[-(3M)-2V^] . 

For the last, note that the maximum value the variable 
B can achieve is 1/2 + M. Using Theorem 10, inequality 
(58), and the assignation (56) we obtain 

X! \PK,c,E,G\z{k,c,e,g,z) 

k,c,g e 

-2-^»PaB,G|z(c,e,ff,z) 



< \/2' 

< \/2" 



■N,+N^+N^ + l 



B,,, + N-y^ 



which concludes the security proof. 
Now, a few comments are in order. 



□ 



1. Note that the distribution -Pa.b,_e|x,y,z considered 
in Theorem 11 docs not represent all pairs of sys- 
tems that Alice and Bob share at the beginning of 
the protocol. It does not include the pairs such 
that /„ = J„ = 1 but do not satisfy condition (12). 
However, this is irrelevant in establishing the secu- 
rity of the secret key K (see comments below). 

2. There is no reason to believe that the honest par- 
tics' marginal distribution is symmetric. However, 
it is measured and processed in a completely sym- 
metric way. For example, the pairs used in the 
estimation of Best are chosen at random. This is 
equivalent to the situation considered in Theorem 
11, where the distribution is assumed to be sym- 
metric and the pairs used in the estimation consti- 
tute a fixed subset. 

3. Theorem 11 limits the knowledge that Eve has 

about the secret key K, even if she hears the mes- 
sages published in the error correction step C = 
/(Ar). However, the messages published in the es- 
timation of Best, denoted by D in (16), arc not 
considered. The information D is not a function 



of Ar, D is generated by measuring other systems. 
Therefore, we can consider those systems (the ones 
used in the estimation), as well as the rest of the 
universe, as part of Eve's power. Summarizing, the 
situation considered in Theorem 11 is as complete 
as required in (16). 



VII. CONCLUSIONS 

We show that it is possible to generate secret key from 
correlations that violate the Braunstein-Caves inequality 
[5] by a sufficient amount. We prove this according to 
the strongest notion of security, the so-called univcrsally- 
composable security [13, 14]. The only assumption used 
in the security proof is the impossibility of arbitrarily- 
fast signaling between subsystems by performing local 
measurements. 

We introduce an exponentially-accurate scheme for es- 
timating symmetric properties of general distributions. 
This allows Alice and Bob to treat any unknown given 
correlations as if they where generated by independent 
and identically-distributed samples. This can be useful 
in order to quantify Bell-inequality violations without the 
i.i.d. assumption. 

Our approach to QKD goes beyond the philosophy of 
[1] in which there is still quantum mechanics, in partic- 
ular, the validity of Tsirelson's bound [19] is assumed. 
In contrast, our approach is conceptually simpler in that 
all we assume is no-signaling. It is remarkable that, al- 
though our security is based on weaker assumptions, the 
secret key rates that we obtain are comparable to the 
ones where the adversary's attack is constrained by no- 
signaling plus quantum mechanics [6]. In particular, we 
obtain the optimal rate of one secret bit per singlet con- 
sumed. Our results also contribute to the understanding 
of quantum cryptography where the honest users do not 
have a complete control of their quantum apparatuses, 
or distrust them [9, 20]. 

QKD is a present-day technology. Entanglement-based 
protocols are usually implemented with a source that se- 
quentially sends entangled pairs of systems to Alice and 
Bob. Each pair is measured in Alice and Bob's loca- 
tions with the same two apparatuses. Those measuring 
apparatuses could generate outcomes depending on pre- 
vious inputs. If this is the case, our assumptions for the 
security proof do not hold, because there is signaling be- 
tween measuring events within the same lab. It would be 
desirable to have a security proof which accommodates 
this situation. Therefore, an important open problem is 
to obtain a security proof from weaker no-signaling as- 
sumptions. 
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